Infrequent cyber wargames betray organisations’ inadequate data-breach response

Preparing and testing your cybersecurity response before a breach can help preserve public trust after one happens: OAIC

Credit: ID 77638922 © Stuart Miles |

Nearly half of businesses had suffered a data breach in the past year but over two-thirds of executives don’t understand their role in the company’s cyber security response plan, according to new research that also found just 24 percent of business executives are highly confident their organisation could withstand a cybersecurity attack.

The Deloitte survey, of 3685 professionals attending an online webinar in May, highlighted the lack of preparation for cybersecurity events through cybersecurity ‘wargames’ – practice runs to test individuals’ preparations and organisational responses to cybersecurity attack.

Some 41.2 percent of respondents said their organisation doesn’t conduct cyber wargames, while just 12.5 percent said they had participated in such an effort in the past 12 months.

This, despite 43.4 percent of executives admitting their companies had suffered a data breach in the same past 12 months.

“Cyber wargames are an important way to raise awareness of the latest cyber risks and attack types, as well as cyber risk management and adaptive response capabilities an organization needs during, after, and preparing for the next cyber incident,” said Daniel Soo, cyber wargaming leader for Deloitte Cyber Risk Services, in a statement.

“The most impactful wargames are those that use live knowledge of an organisation’s current threat environment to support the decision-making process across operations, finance, regulatory, marketing, and beyond.”

Deloitte’s Cyber Risk Services division has increasingly been working with client organisations to design, run, analyse, and re-run cyber wargames up to 6 or 8 times annually.

Such initiatives are real-world analogues of ‘hackathon’ events now being regularly held at different levels of engagement by parties such as the organisers of CySCA, the industry-backed Australian cyber competition that recently pitted more than 100 university teams against a series of hacking challenges.

Lack of awareness of cybersecurity issues is allowing a range of accidental data breaches such as the recent own-goal by kitchenware provider Neoflam Australia, which published warranty records containing the private details of over 7500 customers.

Such incidents can be traced back to a lack of consistent training on the secure handling of sensitive information: “If you have a legitimate administrator who should have access rights to sensitive data like customer information and they accidentally post their information in the public domain, there’s not much a company can do about it,” One Identity APJ regional manager Serkan Cetin said in a statement.

“This is why training employees on correct practices of handling sensitive information is vital for all organisations…. Organisations can build alerting tools to ensure that once this malicious or mistaken action is taken, it is corrected quickly.”

Breaches of public trust can be repaired

Taking a proactive stance towards data protection and incident response can be the difference between building trust with consumers and destroying it, Andrew Solomon, acting deputy commissioner with the Office of the Australian Information Commissioner (OAIC), told the audience at the recent AISA National Cybersecurity Conference.

Calling 2018 “a watershed in community knowledge and reaction to what’s happening to their personal information,” Solomon said the OAIC “does not agree that the resulting impact [of a breach] on community trust is irreparable.”

“Trust in an organisation is not necessarily extinguished immediately when a breach occurs,” he continued. “It’s how organisations manage the breach that really matters.”

“A well-considered and effective response strategy, coupled with a proactive breach risk mitigation and identification strategy, can help maintain public trust and confidence in the way you’ve maintained personal information.”

Deloitte consultants’ experiences with companies during scenario planning had produced several key learnings that businesses should keep in mind – ranging from a focus on learning objectives and involvement of a broad group of participants, to keeping it simple at the start and ensuring that scenarios are plausible and tap into realistic vulnerabilities.

“Identifying intersections between different teams and mixing siloes creates a more realistic dynamic,” Deloitte’s analysis advised. “And identifying a realistic scenario with realistic vulnerabilities drives real actionable results.”

Tags DeloitteOAIC

Show Comments